Netfilter and IPSec interaction

Trevor Cordes netfilter at
Wed Aug 10 14:02:41 CEST 2005

On Sun, Jul 17, 2005 at 10:23:58PM -0500, Aleksandar Milivojevic wrote:
> Apperently, this is a known problem and it has been discussed on 
> Netfilter's development lists.  There are some patches that solve it, 
> but they are not going to get into mainstream kernel since approach 

I can now confirm that the current PoM 2.6sec/NAT patches do compile into 
a 2.6.12 kernel (for me FC3 2.6.12-1.1372) with a few modifications to 
dependencies, etc.  I will be heavily testing this new kernel very 

> taken in them is problematic (and according to some sources, those 
> patches are abandoned and not maintained anymore).  I wasn't able to 
> find why the approach is problematic, but apperently answer to that 

>From my understanding, the patches are too broad and affect too many 
source files.  It's not "clean" and prone to maintenance errors.  The way 
it's coded/architected needs to be rethought and will probably require a 
rethink/rewrite of much more than just the bits the patch touches.

> question is burried somewhere in archives of Netfilter's development 
> list.  Seems that correct approach to solve the problem still needs to 
> be found (and once found and implemented will become part of mainstream 
> kernel).

Yes, it would be nice to see that some effort is going into this problem.

More information about the netfilter mailing list